Legal

Data Processing Addendum

Raven CAD GmbH Data Processing Addendum for Professional customers.

Last updated: 12 June 2026

This Data Processing Addendum ("DPA") applies where Raven CAD GmbH ("Raven") processes Professional Customer Personal Data on behalf of a customer using the Professional plan. This DPA forms part of the Terms of Service or other agreement between Raven and the customer (the "Agreement").

This DPA is intended to satisfy applicable processor-contract requirements, including requirements under the GDPR, UK GDPR, Swiss Federal Act on Data Protection, and similar laws where applicable.

1. Scope

This DPA applies only to Professional Customer Personal Data processed by Raven on behalf of a Professional customer.

This DPA does not apply to:

Free or Regular Research Use;
Research Data processed by Raven under the Terms of Service;
Account Data processed by Raven as an independent controller;
billing data, payment data, tax data, security data, fraud-prevention data, legal-compliance data, or enforcement data processed by Raven as an independent controller;
anonymized data that no longer identifies a person; or
Enterprise processing governed by a separate signed agreement, except where that agreement incorporates this DPA.

2. Definitions

Customer means the person or organization using the Professional plan and entering into the Agreement with Raven.

Customer Personal Data or Professional Customer Personal Data means personal data contained in Professional Data that Raven processes on behalf of Customer as processor.

Data Protection Law means applicable data-protection, privacy, and cybersecurity laws governing the processing of Professional Customer Personal Data, including the GDPR, UK GDPR, Swiss Federal Act on Data Protection, and applicable U.S. state privacy laws where relevant.

Professional Data has the meaning given in the Terms of Service.

Security Incident means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Professional Customer Personal Data processed by Raven.

The terms "controller," "processor," "personal data," "processing," "data subject," and "subprocessor" have the meanings given under applicable Data Protection Law.

3. Roles of the Parties

For Professional Customer Personal Data, Customer is the controller and Raven is the processor, except where Raven processes data as an independent controller for account administration, billing, payment, tax, security, fraud prevention, legal compliance, enforcement, service analytics outside the scope of Customer's controller instructions, or other controller purposes described in the Privacy Policy.

Customer is responsible for determining the purposes and means of processing Professional Customer Personal Data, establishing a lawful basis, providing required notices, obtaining required consents, and ensuring that Customer has all rights and permissions needed to use the Services.

Raven will process Professional Customer Personal Data only as described in this DPA, the Agreement, Customer's documented instructions, or as required by law.

4. Customer Instructions

Customer instructs Raven to process Professional Customer Personal Data to:

provide, operate, host, maintain, secure, and support the Services;
process prompts, files, requests, outputs, exports, integrations, and user actions;
troubleshoot, debug, monitor, and improve service reliability and quality;
provide requested support and customer communications;
prevent abuse, fraud, security incidents, and policy violations;
enforce the Agreement and plan limits;
comply with law, legal process, sanctions, export controls, and regulatory obligations; and
improve Raven's own Services where permitted by the Professional plan and not opted out by Customer.

Customer may provide additional documented instructions where required by Data Protection Law. Raven will inform Customer if, in Raven's reasonable opinion, an instruction infringes Data Protection Law, unless prohibited by law.

5. No Training, No Sale, and No Third-Party Research Use

For Professional Customer Personal Data, Raven will not:

train or fine-tune AI/ML models;
create reinforcement-learning environments;
create third-party datasets or benchmarks;
sell or license the data as Research Data;
use the data for third-party research collaborations;
allow third-party model providers to train or fine-tune on the data;
use the data to improve third-party products; or
externally disclose the data as Research Data.

Professional product-improvement use, if any, is limited to improving Raven's own Services and does not include AI/ML model training or fine-tuning. Customer may opt out of Professional product-improvement use as described in the Agreement.

6. Confidentiality and Personnel

Raven will ensure that personnel authorized to process Professional Customer Personal Data are subject to confidentiality obligations or appropriate statutory confidentiality duties.

Raven personnel will access Professional Customer Personal Data only as necessary to provide, secure, support, troubleshoot, maintain, improve, or comply with law as permitted by this DPA and the Agreement.

7. Security Measures

Raven will implement appropriate technical and organizational measures designed to protect Professional Customer Personal Data against unauthorized access, loss, misuse, alteration, or disclosure. Raven's measures are described in Annex 2.

Customer acknowledges that security measures may evolve over time, provided that Raven does not materially decrease the overall security of the Services during the subscription term.

8. Subprocessors

Customer authorizes Raven to use subprocessors, including infrastructure providers, hosting providers, service providers, security providers, support providers, analytics providers, payment-related providers, and model providers, to provide, secure, host, monitor, support, troubleshoot, maintain, and improve the Services as permitted by the Professional plan.

Raven will enter into written agreements with subprocessors that impose data-protection obligations no less protective in substance than this DPA, to the extent applicable to the subprocessor's processing.

Raven remains responsible for subprocessors' performance of their data-protection obligations to the extent required by Data Protection Law.

Raven will maintain and make available a list of subprocessors for the Professional plan. Raven will provide notice of new subprocessors by posting an updated list, sending notice, or providing another reasonable notice mechanism. Customer may object to a new subprocessor on reasonable data-protection grounds within 30 days after notice. The parties will work in good faith to resolve the objection. If the parties cannot resolve the objection, Customer may terminate the affected Professional Service to the extent the new subprocessor is necessary to provide it.

9. Model Providers

Raven may use model providers to process Professional prompts, files, requests, and outputs for inference or related service functionality.

Raven will contractually require and/or configure model providers not to use Professional Customer Personal Data to train or fine-tune their models, and not to retain Professional prompts, files, or outputs after processing except for temporary security, abuse-prevention, legal, debugging, reliability, or operational requirements permitted by their contracts with Raven and applicable law.

Raven will not permit model providers to use Professional Customer Personal Data to improve third-party products.

10. Data Subject Requests

Raven will provide reasonable assistance to Customer, to the extent legally required and technically feasible, for data subject requests relating to Professional Customer Personal Data.

If Raven receives a request directly from a data subject relating to Professional Customer Personal Data, Raven may direct the request to Customer, unless required by law to respond directly.

Customer is responsible for responding to data subject requests where Customer is the controller.

11. Assistance with DPIAs and Regulatory Inquiries

Taking into account the nature of processing and information available to Raven, Raven will provide reasonable assistance to Customer where legally required for data-protection impact assessments, prior consultations, regulator inquiries, and security obligations relating to Professional Customer Personal Data.

Raven may charge reasonable fees for assistance not included in the standard Services, unless prohibited by law or agreed otherwise.

12. Security Incidents

Raven will notify Customer without undue delay after becoming aware of a Security Incident affecting Professional Customer Personal Data.

Raven's notice will include information reasonably available to Raven to help Customer meet its legal obligations, which may include the nature of the incident, affected data categories, affected data subjects, likely consequences, mitigation measures, and contact information.

Raven will take reasonable steps to investigate, contain, and remediate a Security Incident. Raven's notice of or response to a Security Incident is not an admission of fault or liability.

Customer is responsible for determining whether it must notify data subjects, regulators, customers, insurers, or others.

13. Return and Deletion

Upon termination of the Professional plan or upon Customer's documented request, Raven will delete or return Professional Customer Personal Data according to the Services' functionality, Raven's retention practices, the Agreement, and applicable law.

Raven may retain Professional Customer Personal Data to the extent required by law, legal process, security, fraud prevention, dispute resolution, backup, or legitimate compliance needs, provided that retained data remains protected under this DPA until deleted or anonymized.

Backup copies may remain for a limited period as part of routine backup, disaster recovery, and business-continuity processes and will be protected under this DPA until deleted.

14. Audits and Compliance Information

Raven will provide information reasonably necessary to demonstrate compliance with this DPA, such as security summaries, compliance documentation, subprocessor information, or other appropriate materials.

Audits must be reasonable, subject to confidentiality, limited to once per year unless required by law or following a confirmed Security Incident, and conducted in a manner that does not compromise Raven's security, confidential information, systems, trade secrets, or other customers' data.

Customer must provide reasonable advance notice of any audit. Raven may satisfy audit requests by providing independent audit reports, certifications, summaries, or written responses where appropriate.

15. International Transfers

Raven may process Professional Customer Personal Data in Switzerland, the EU/EEA, the United Kingdom, the United States, and other countries where Raven or its subprocessors operate.

Where Raven transfers Professional Customer Personal Data internationally and transfer safeguards are required, Raven will use appropriate transfer mechanisms, such as adequacy decisions, standard contractual clauses, the UK International Data Transfer Addendum or equivalent, Swiss transfer amendments, transfer-risk assessments, supplementary measures, or other lawful safeguards.

Where the European Commission's standard contractual clauses are required, the parties agree that the applicable modules are incorporated by reference as follows:

Module Two applies to controller-to-processor transfers from Customer to Raven;
Module Three applies to processor-to-processor transfers from Raven to subprocessors where applicable;
the optional docking clause applies where needed to add parties;
the competent supervisory authority and governing law will be determined under the standard contractual clauses and applicable Data Protection Law; and
the technical and organizational measures are described in Annex 2.

For transfers subject to Swiss data-protection law, references in the standard contractual clauses to the GDPR will be interpreted to include the Swiss Federal Act on Data Protection where applicable, and references to EU Member States will be interpreted to include Switzerland where required.

If there is a conflict between the standard contractual clauses and this DPA, the standard contractual clauses control for the relevant transfer.

16. Customer Obligations

Customer is responsible for:

using the correct plan for the data it uploads or processes;
configuring accounts, workspaces, permissions, integrations, exports, and retention settings appropriately;
ensuring that Professional Customer Personal Data is accurate, lawful, and limited to what is necessary;
providing all required notices and obtaining all required consents or legal bases;
responding to data subject requests where Customer is controller;
ensuring that Customer's instructions comply with Data Protection Law;
not uploading prohibited, sensitive, regulated, children's, export-controlled, or high-risk personal data unless permitted by the Agreement and applicable law; and
independently reviewing and validating Generated Output before use.

17. Conflict and Precedence

If this DPA conflicts with the Terms of Service or Privacy Policy regarding Professional Customer Personal Data, this DPA controls.

If this DPA conflicts with standard contractual clauses that apply to an international transfer, the standard contractual clauses control for that transfer.

This DPA does not limit Raven's rights for Free or Regular Research Use under the Terms of Service.

Annex 1: Processing Details

Subject matter

Raven processes Professional Customer Personal Data to provide AI-assisted CAD, Rhino, Grasshopper, geometry, scripting, design-automation, collaboration, support, security, and related services to Customer.

Duration

Processing continues for the term of the Professional plan and for any additional period required for deletion, backup, legal, security, billing, dispute, compliance, or retention purposes described in the Agreement and this DPA.

Nature and purpose of processing

The processing may include hosting, storage, transmission, retrieval, access, organization, structuring, analysis, inference, generation, editing, troubleshooting, debugging, monitoring, logging, support, security, abuse prevention, fraud prevention, backup, deletion, and return of Professional Customer Personal Data.

Categories of data subjects

Data subjects may include Customer's users, administrators, employees, contractors, consultants, clients, prospects, end users, collaborators, and other individuals whose personal data appears in Professional Data.

Categories of personal data

Professional Customer Personal Data may include names, emails, business contact details, usernames, workspace identifiers, role information, account permissions, filenames, comments, metadata, prompts, scripts, CAD files, Rhino files, Grasshopper files, model data, geometry data, generated outputs, support materials, usage data, diagnostic data, and other personal data included in Professional Data.

Sensitive data

The Services are not intended for special-category data, sensitive personal data, protected health information, children's data, precise geolocation, biometric identifiers, government identifiers, payment card numbers, export-controlled personal data, or other regulated data unless expressly agreed in writing or permitted by the Agreement and applicable law.

Frequency of transfer

Continuous or intermittent, depending on Customer's use of the Services.

Subprocessor transfers

Subprocessor transfers occur as necessary to provide, secure, host, monitor, support, troubleshoot, maintain, and improve the Services as permitted by the Professional plan.

Annex 2: Technical and Organizational Measures

Raven's technical and organizational measures may include the following, as appropriate to the nature of the Services and risk.

Access controls

role-based and least-privilege access;
authentication controls;
access review processes;
separation of customer workspaces where applicable;
restrictions on personnel access to Professional Customer Personal Data; and
logging of administrative or sensitive access where appropriate.

Transmission and storage security

encryption in transit using industry-standard protocols;
encryption or equivalent protections for stored data where appropriate;
secure credential and secret management;
backup and disaster-recovery controls; and
controls designed to prevent unauthorized copying or disclosure.

Operational security

monitoring, logging, and alerting for security and reliability;
vulnerability management;
patch management processes;
malware and abuse prevention controls;
incident-response procedures;
secure configuration practices; and
supplier and subprocessor review processes.

Product and AI controls

plan-based data-use restrictions;
Professional no-training restrictions;
model-provider contractual and/or configuration controls;
abuse-prevention controls;
output warnings and export acknowledgments where appropriate;
testing and evaluation for selected risk areas; and
logging for security, support, auditability, and abuse prevention where appropriate.

Personnel and governance

confidentiality obligations for personnel;
security awareness measures;
internal access policies;
vendor management;
data-protection and security governance; and
periodic review of controls.

Annex 3: Subprocessors

Raven will maintain and make available a current list of subprocessors for the Professional plan. The list should identify, where applicable:

subprocessor name;
processing purpose;
categories of data processed;
processing location;
transfer mechanism where required; and
whether the subprocessor is an infrastructure provider, model provider, security provider, support provider, analytics provider, payment-related provider, or other service provider.

Customer may request the current subprocessor list by contacting legal@raven.build unless Raven provides a public subprocessor page or in-product notice.

Annex 4: Transfer Safeguards

Where transfer safeguards are required, Raven will use one or more lawful transfer mechanisms, such as:

adequacy decisions;
European Commission standard contractual clauses;
UK International Data Transfer Addendum or UK-approved transfer terms;
Swiss transfer amendments or equivalents;
transfer-risk assessments;
supplementary technical, organizational, or contractual measures; or
another lawful transfer mechanism under applicable Data Protection Law.

Customer authorizes Raven to implement appropriate transfer mechanisms with subprocessors as necessary to provide the Services.

Annex 5: Professional No-Training and Data-Use Controls

For Professional Data, Raven applies plan-based restrictions designed to prevent the following unless Customer expressly agrees otherwise in writing:

AI/ML model training or fine-tuning using Professional Data;
reinforcement-learning environments created from Professional Data;
third-party datasets or benchmarks created from Professional Data;
sale or licensing of Professional Data as Research Data;
third-party research collaborations using Professional Data;
third-party model-provider training or fine-tuning using Professional Data; and
use of Professional Data to improve third-party products.